Data correlation using file object cache

ABSTRACT

Some examples relate generally to computer architecture software for data classification and information security and, in some more particular aspects, to verifying audit events in a tile system.

FIELD

The present disclosure relates generally to computer architecturesoftware for data classification and information security and, in somemore particular aspects, to verifying audit events in a file system.

BACKGROUND

The sheer volume and complexity of data that is collected, analyzed andstored is increasing rapidly over time. The computer infrastructure usedto handle this data is also becoming more complex, with more processingpower and more portability. As a result, data management and storage isbecoming increasingly important. Significant aspects of these processesinclude access to reliable data backup and storage, and fast datarecovery in cases of failure. Other aspects include data portabilityacross locations and platforms.

At the same time, unauthorized access to systems and ransomware havebecome major cyber-security threats in recent times. In this regard,data security regulations such as those mandated in the General DataProtection Regulation 2016/679 (GDPR) place strict notificationobligations on data holders. The GDPR is a regulation in EU law relatingto data protection and privacy for all individuals within the EuropeanUnion and the European Economic Area. The regulation also addresses theexport of personal data outside the EU and EEA areas, such as into theUnited States. Under the GDPR regulation, if there is a data breach thedata holder is required to notify all affected users very quickly. Thus,the rapid detection of ransomware or unauthorized access to data iscritical.

SUMMARY

In an example embodiment, a data management system is provided. Thesystem may comprise: a storage device configured to store a base fileassociated with a first version of a virtual machine; a second storagedevice configured to store one or more forward incremental filesassociated with one or more versions of the virtual machine; and one ormore processors in communication with the first storage device and thesecond storage device, the one or more processors configured to performoperations including: identifying audit events associated with user fileaccesses in a monitored computer system, the audit events including acreate event and a subsequent event, the subsequent event including aread, write, or cleanup event; resolving a pair value including a userID and remote IP address at the create event; associating the pair valuewith a file object id for the base file or the one or more forwardincremental files; storing the associated file object id and pair valuein a map in a file object cache; and retrieving the file object id fromthe file object cache at the subsequent event.

In some examples, the file object id is used as an authorization orverification key for the subsequent event. In some examples, the one ormore processors is further configured to remove the file object id fromthe map in the file object cache at a cleanup event included in thesubsequent event. In some examples, the cleanup event includes a closingor deletion of a file object associated with the file object id. In someexamples, the one or more processors is further configured to apply atime stamp to the file object. In some examples, the one or moreprocessors is further configured to remove the file object id and pairvalue from the map in the file object cache based on the timestampmeeting or exceeding a threshold value.

In some examples, the audit events are associated with user fileaccesses in a monitored Windows™ computer system. In some examples, thebase and incremental files include internal files stored at a backupsystem, such as backup system by Rubrik, Inc. that may track user backupevents. Some examples of a data management system do not track auditevents on the base or incremental files but actual files on a user'sWindows™ server.

Another example embodiment includes a data management system. Here, anexample system may comprise: a first storage device configured to storea base file associated with a first version of a virtual machine; asecond storage device configured to store one or more forwardincremental files associated with one or more versions of the virtualmachine; and a mini-filter including one or more processors incommunication with the first storage device and the second storagedevice, the one or more processors of the mini-filter configured toperform operations including: identifying audit events associated withuser file accesses in a monitored computer system, the audit eventsincluding a create event and a subsequent event, the subsequent eventincluding a read, write, or cleanup event; resolving a pair valueincluding a user ID and remote IP address at the create event;associating the pair value with a file object id for the base file orthe one or more forward incremental files; and storing the associatedfile object id and pair value in a map in a file object cache. In someexamples, a mini-filter includes a kernel mode driver that tracksinput-output (IO) operations as users interact with the monitoredcomputer file system.

In some examples, the one or more processors is further configured to:retrieve the file object id from the file object cache at the subsequentevent. In some examples, the file object id is used as an authorizationor verification key for the subsequent event. In some examples, the oneor more processors is further configured to remove the file object idfrom the map in the file object cache at a cleanup event included in thesubsequent event. In some examples, the cleanup event includes a closingor deletion of a file object associated with the file object id. In someexamples, the one or more processors is further configured to apply atime stamp to the file object and remove the file object id and pairvalue from the map in the file object cache based on the timestampmeeting or exceeding a threshold value.

In yet another example embodiment, a data management system is provided.The system may comprise: at least one storage device storing a base fileand one or more forward incremental files; a mini-filter including oneor more processors in communication with the at least one storagedevice, the one or more processors configured to perform operationsincluding: identifying audit events associated with user file accessesin a monitored computer system, the audit events including a createevent and a subsequent event, the subsequent event including a read,write, or cleanup event; identifying a pair value including a user IDand remote IP address at the create event; associating the pair valuewith a file object id for the base file or the one or more forwardincremental files; storing the associated file object id and pair valuein a map in a file object cache in the at least one storage device; andretrieving the file object id from the file object cache at thesubsequent event.

In some examples, the file object id is used as an authorization orverification key for the subsequent event. In some examples, the one ormore processors is further configured to remove the file object id fromthe map in the file object cache at a cleanup event included in thesubsequent event. In some examples, the cleanup event includes a closingor deletion of a file object associated with the file object id. In someexamples, the one or more processors is further configured to apply atime stamp to the file object. In some examples, the one or moreprocessors is further configured to remove the file object id and pairvalue from the map in the file object cache based on the timestampmeeting or exceeding a threshold value.

DESCRIPTION OF THE DRAWINGS

Some embodiments are illustrated by way of example and not limitation inthe figures of the accompanying drawings:

FIG. 1 depicts one embodiment of a networked computing environment 100in which the disclosed technology may be practiced, according to anexample embodiment.

FIG. 2 depicts one embodiment of server 160 in FIG. 1, according to anexample embodiment.

FIG. 3 depicts one embodiment of storage appliance 170 in FIG. 1,according to an example embodiment.

FIG. 4 illustrates example aspects of a file object cache, according toan example embodiment.

FIGS. 5-7 each depict a block flow chart indicating example operationsin a method of the present disclosure, according to an exampleembodiment.

FIG. 8 depicts a block diagram illustrating an example of a softwarearchitecture that may be installed on a machine, according to someexample embodiments.

FIG. 9 depicts a block diagram 900 illustrating an architecture ofsoftware 902, according to an example embodiment.

FIG. 10 illustrates a diagrammatic representation of a machine 1000 inthe form of a computer system within which a set of instructions may beexecuted for causing a machine to perform any one or more of themethodologies discussed herein, according to an example embodiment.

DESCRIPTION

The description that follows includes systems, methods, techniques,instruction sequences, and computing machine program products thatembody illustrative embodiments of the present disclosure. In thefollowing description, for purposes of explanation, numerous specificdetails are set forth in order to provide a thorough understanding ofexample embodiments. It will be evident, however, to one skilled in theart that the present invention may be practiced without these specificdetails.

A portion of the disclosure of this patent document contains materialthat is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent files or records, but otherwise reserves all copyrightrights whatsoever. The following notice applies to the software and dataas described below and in the drawings that form a part of thisdocument: Copyright Rubrik, Inc., 2018-2019, All Rights Reserved.

FIG. 1 depicts one embodiment of a networked computing environment 100in which the disclosed technology may be practiced. As depicted, thenetworked computing environment 100 includes a data center 150, astorage appliance 140, and a computing device 154 in communication witheach other via one or more networks 180. The networked computingenvironment 100 may also include a plurality of computing devicesinterconnected through one or more networks 180. The one or morenetworks 180 may allow computing devices and/or storage devices toconnect to and communicate with other computing devices and/or otherstorage devices. In some cases, the networked computing environment mayinclude other computing devices and/or other storage devices not shown.The other computing devices may include, for example, a mobile computingdevice, a non-mobile computing device, a server, a work-station, alaptop computer, a tablet computer, a desktop computer, or aninformation processing system. The other storage devices may include,for example, a storage area network storage device, a networked-attachedstorage device, a hard disk drive, a solid-state drive, or a datastorage system.

The data center 150 may include one or more servers, such as server 160,in communication with one or more storage devices, such as storagedevice 156. The one or more servers may also be in communication withone or more storage appliances, such as storage appliance 170. Theserver 160, storage device 156, and storage appliance 170 may be incommunication with each other via a networking fabric connecting serversand data storage units within the data center to each other. The storageappliance 170 may include a data management system for backing upvirtual machines and/or files within a virtualized infrastructure. Theserver 160 may be used to create and manage one or more virtual machinesassociated with a virtualized infrastructure.

The one or more virtual machines may run various applications, such as adatabase application or a web server. The storage device 156 may includeone or more hardware storage devices for storing data, such as a harddisk drive (HDD), a magnetic tape drive, a solid-state drive (SSD), astorage area network (SAN) storage device, or a Networked-AttachedStorage (NAS) device. In some cases, a data center, such as data center150, may include thousands of servers and/or data storage devices incommunication with each other. The one or more data storage devices 156may comprise a tiered data storage infrastructure (or a portion of atiered data storage infrastructure). The tiered data storageinfrastructure may allow for the movement of data across different tiersof a data storage infrastructure between higher-cost, higher-performancestorage devices (e.g., solid-state drives and hard disk drives) andrelatively lower-cost, lower-performance storage devices (e.g., magnetictape drives).

The one or more networks 180 may include a secure network such as anenterprise private network, an unsecure network such as a wireless opennetwork, a local area network (LAN), a wide area network (WAN), and theInternet. The one or more networks 180 may include a cellular network, amobile network, a wireless network, or a wired network. Each network ofthe one or more networks 180 may include hubs, bridges, routers,switches, and wired transmission media such as a direct-wiredconnection. The one or more networks 180 may include an extranet orother private network for securely sharing information or providingcontrolled access to applications or files.

A server, such as server 160, may allow a client to download informationor files (e.g., executable, text, application, audio, image, or videofiles) from the server or to perform a search query related toparticular information stored on the server. In some cases, a server mayact as an application server or a file server. In general, a server 160may refer to a hardware device that acts as the host in a client-serverrelationship or a software process that shares a resource with orperforms work for one or more clients.

One embodiment of server 160 includes a network interface 165, processor166, memory 167, disk 168, and virtualization manager 169 all incommunication with each other. Network interface 165 allows server 160to connect to one or more networks 180. Network interface 165 mayinclude a wireless network interface and/or a wired network interface.Processor 166 allows server 160 to execute computer readableinstructions stored in memory 167 in order to perform processesdescribed herein, Processor 166 may include one or more processingunits, such as one or more CPUs and/or one or more GPUs. Memory 167 maycomprise one or more types of memory (e.g., RAM, SRAM, DRAM, ROM,EEPROM, Flash, etc.). Disk 168 may include a hard disk drive and/or asolid-state drive. Memory 167 and disk 168 may comprise hardware storagedevices.

The virtualization manager 169 may manage a virtualized infrastructureand perform management operations associated with the virtualizedinfrastructure. The virtualization manager 169 may manage theprovisioning of virtual machines running within the virtualizedinfrastructure and provide an interface to computing devices interactingwith the virtualized infrastructure. In one example, the virtualizationmanager 169 may set a virtual machine having a virtual disk into afrozen state in response to a snapshot request made via an applicationprogramming interface (API) by a storage appliance, such as storageappliance 170. Setting the virtual machine into a frozen state may allowa point in time snapshot of the virtual machine to be stored ortransferred. In one example, updates made to a virtual machine that hasbeen set into a frozen state may be mitten to a separate file (e.g., anupdate file) while the virtual disk may be set into a read-only state toprevent modifications to the virtual disk file while the virtual machineis in the frozen state.

The virtualization manager 169 may then transfer data associated withthe virtual machine (e.g., an image of the virtual machine or a portionof the image of the virtual disk file associated with the state of thevirtual disk at the point in time is frozen) to a storage appliance (forexample, a storage appliance 140 or 170 of FIG. 1, described furtherbelow) in response to a request made by the storage appliance. After thedata associated with the point in time snapshot of the virtual machinehas been transferred to the storage appliance 170 (for example), thevirtual machine may be released from the frozen state (i.e., unfrozen)and the updates made to the virtual machine and stored in the separatefile may be merged into the virtual disk file. The virtualizationmanager 169 may perform various virtual machine related tasks, such ascloning virtual machines, creating new virtual machines, monitoring thestate of virtual machines, moving virtual machines between physicalhosts for load balancing purposes, and facilitating backups of virtualmachines.

One embodiment of a storage appliance 170 (or 140) includes a networkinterface 175, processor 176, memory 177, and disk 178 all incommunication with each other. Network interface 175 allows storageappliance 170 to connect to one or more networks 180. Network interface175 may include a wireless network interface and/or a wired networkinterface. Processor 176 allows storage appliance 170 to executecomputer readable instructions stored in memory 177 in order to performprocesses described herein. Processor 176 may include one or moreprocessing units, such as one or more CPUs and/or one or more GPUs.Memory 177 may comprise one or more types of memory (e.g., RAM, SRAM,DRAM, ROM, EEPROM, NOR Flash, NAND Flash, etc.). Disk 178 may include ahard disk drive and/or a solid-state drive. Memory 177 and disk 178 maycomprise hardware storage devices.

In one embodiment, the storage appliance 170 may include four machines.Each of the four machines may include a multi-core CPU, 64 GB of RAM, a400 GB SSD, three 4 TB HDDs, and a network interface controller. In thiscase, the four machines may be in communication with the one or morenetworks 180 via the four network interface controllers. The fourmachines may comprise four nodes of a server cluster. The server clustermay comprise a set of physical machines that are connected together viaa network. The server cluster may be used for storing data associatedwith a plurality of virtual machines, such as backup data associatedwith different points in time versions of the virtual machines.

The networked computing environment 100 may provide a cloud computingenvironment for one or more computing devices. Cloud computing may referto Internet-based computing, wherein shared resources, software, and/orinformation may be provided to one or more computing devices on-demandvia the Internet. The networked computing environment 100 may comprise acloud computing environment providing Software-as-a-Service (SaaS) orInfrastructure-as-a-Service (IaaS) services. SaaS may refer to asoftware distribution model in which applications are hosted by aservice provider and made available to end users over the Internet. Inone embodiment, the networked computing environment 100 may include avirtualized infrastructure that provides software, data processing,and/or data storage services to end users accessing the services via thenetworked computing environment 100. In one example, networked computingenvironment 100 may provide cloud-based work productivity orbusiness-related applications to a computing device, such as computingdevice 154. The storage appliance 140 may comprise a cloud-based datamanagement system for backing up virtual machines and/or files within avirtualized infrastructure, such as virtual machines running on server160 or files stored on server 160.

In some cases, networked computing environment 100 may provide remoteaccess to secure applications and files stored within data center 150from a remote computing device, such as computing device 154. The datacenter 150 may use an access control application to manage remote accessto protected resources, such as protected applications, databases, orfiles located within the data center. To facilitate remote access tosecure applications and files, a secure network connection may beestablished using a virtual private network (VPN). A VPN connection mayallow a remote computing device, such as computing device 154, tosecurely access data from a private network (e.g., from a company fileserver or mail server) using an unsecure public network or the Internet.The VPN connection may require client-side software (e.g., running onthe remote computing device) to establish and maintain the VPNconnection. The VPN client software may provide data encryption andencapsulation prior to the transmission of secure private networktraffic through the Internet.

in some embodiments, the storage appliance 170 may manage the extractionand storage of virtual machine snapshots associated with different pointin time versions of one or more virtual machines running within the datacenter 150. A snapshot of a virtual machine may correspond with a stateof the virtual machine at a particular point in time. In response to arestore command from the server 160, the storage appliance 170 mayrestore a point in time version of a virtual machine or restore point intime versions of one or more files located on the virtual machine andtransmit the restored data to the server 160. In response to a mountcommand from the server 160, the storage appliance 170 may allow a pointin time version of a virtual machine to be mounted and allow the server160 to read and/or modify data associated with the point in time versionof the virtual machine. To improve storage density, the storageappliance 170 may deduplicate and compress data associated withdifferent versions of a virtual machine and/or deduplicate and compressdata associated with different virtual machines. To improve systemperformance, the storage appliance 170 may first store virtual machinesnapshots received from a virtualized environment in a cache, such as aflash-based cache. The cache may also store popular data or frequentlyaccessed data (e.g., based on a history of virtual machine restorations,incremental files associated with commonly restored virtual machineversions) and current day incremental files or incremental filescorresponding with snapshots captured within the past 24 hours.

An incremental file may comprise a forward incremental file or a reverseincremental file. A forward incremental file may include a set of datarepresenting changes that have occurred since an earlier point in timesnapshot of a virtual machine. To generate a snapshot of the virtualmachine corresponding with a forward incremental file, the forwardincremental file may be combined with an earlier point in time snapshotof the virtual machine (e.g., the forward incremental file may becombined with the last full image of the virtual machine that wascaptured before the forward incremental file was captured and any otherforward incremental files that were captured subsequent to the last fullimage and prior to the forward incremental file). A reverse incrementalfile may include a set of data representing changes from a later pointin time snapshot of a virtual machine. To generate a snapshot of thevirtual machine corresponding with a reverse incremental file, thereverse incremental file may be combined with a later point in timesnapshot of the virtual machine (e.g., the reverse incremental file maybe combined with the most recent snapshot of the virtual machine and anyother reverse incremental files that were captured prior to the mostrecent snapshot and subsequent to the reverse incremental file).

The storage appliance 170 may provide a user interface (e.g., aweb-based interface or a graphical user interface) that displays virtualmachine backup information such as identifications of the virtualmachines protected and the historical versions or time machine views foreach of the virtual machines protected. A time machine view of a virtualmachine may include snapshots of the virtual machine over a plurality ofpoints in time. Each snapshot may comprise the state of the virtualmachine at a particular point in time. Each snapshot may correspond witha different version of the virtual machine (e.g., Version 1 of a virtualmachine may correspond with the state of the virtual machine at a firstpoint in time and Version 2 of the virtual machine may correspond withthe state of the virtual machine at a second point in time subsequent tothe first point in time).

The user interface may enable an end user of the storage appliance 170(e.g., a system administrator or a virtualization administrator) toselect a particular version of a virtual machine to be restored ormounted. When a particular version of a virtual machine has beenmounted, the particular version may be accessed by a client (e.g., avirtual machine, a physical machine, or a computing device) as if theparticular version was local to the client. A mounted version of avirtual machine may correspond with a mount point directory (e.g.,/snapshots/VM5Nersion23). In one example, the storage appliance 170 mayrun an NTS server and make the particular version (or a copy of theparticular version) of the virtual machine accessible for reading and/orwriting. The end user of the storage appliance 170 may then select theparticular version to be mounted and run an application (e.g., a dataanalytics application) using the mounted version of the virtual machine.In another example, the particular version may be mounted as an iSCSItarget.

FIG. 2 depicts one embodiment of server 160 in FIG. 1. The server 160may comprise one server out of a plurality of servers that are networkedtogether within a data center. In one example, the plurality of serversmay be positioned within one or more server racks within the datacenter. As depicted, the server 160 includes hardware-level componentsand software-level components. The hardware-level components include oneor more processors 182, one or more memory 184, and one or more disks185. The software-level components include a hypervisor 186, avirtualized infrastructure manager 199, and one or more virtualmachines, such as virtual machine 198. The hypervisor 186 may comprise anative hypervisor or a hosted hypervisor. The hypervisor 186 may providea virtual operating platform for running one or more virtual machines,such as virtual machine 198. Virtual machine 198 includes a plurality ofvirtual hardware devices including a virtual processor 192, a virtualmemory 194, and a virtual disk 195. The virtual disk 195 may comprise afile stored within the one or more disks 185. In one example, a virtualmachine 198 may include a plurality of virtual disks 195, with eachvirtual disk of the plurality of virtual disks associated with adifferent file stored on the one or more disks 185. Virtual machine 198may include a guest operating system 196 that runs one or moreapplications, such as application 197.

The virtualized infrastructure manager 199, which may correspond withthe virtualization manager 169 in FIG. 1, may run on a virtual machineor natively on the server 160. The virtual machine may, for example, beor include the virtual machine 198 or a virtual machine separate fromthe server 160. Other arrangements are possible. The virtualizedinfrastructure manager 199 may provide a centralized platform formanaging a virtualized infrastructure that includes a plurality ofvirtual machines. The virtualized infrastructure manager 199 may managethe provisioning of virtual machines running within the virtualizedinfrastructure and provide an interface to computing devices interactingwith the virtualized infrastructure. The virtualized infrastructuremanager 199 may perform various virtualized infrastructure relatedtasks, such as cloning virtual machines, creating new virtual machines,monitoring the state of virtual machines, and facilitating backups ofvirtual machines.

In one embodiment, the server 160 may use the virtualized infrastructuremanager 199 to facilitate backups for a plurality of virtual machines(e.g., eight different virtual machines) running on the server 160. Eachvirtual machine running on the server 160 may run its own guestoperating system and its own set of applications. Each virtual machinerunning on the server 160 may store its own set of files using one ormore virtual disks associated with the virtual machine (e.g., eachvirtual machine may include two virtual disks that are used for storingdata associated with the virtual machine).

In one embodiment, a data management application running on a storageappliance, such as storage appliance 140 in FIG. 1 or storage appliance170 in FIG. 1, may request a snapshot of a virtual machine running onserver 160. The snapshot of the virtual machine may be stored as one ormore files, with each file associated with a virtual disk of the virtualmachine. A snapshot of a virtual machine may correspond with a state ofthe virtual machine at a particular point in time. The particular pointin time may be associated with a time stamp. In one example, a firstsnapshot of a virtual machine may correspond with a first state of thevirtual machine (including the state of applications and files stored onthe virtual machine) at a first point in time and a second snapshot ofthe virtual machine may correspond with a second state of the virtualmachine at a second point in time subsequent to the first point in time.

In response to a request for a snapshot of a virtual machine at aparticular point in time, the virtualized infrastructure manager 199 mayset the virtual machine into a frozen state or store a copy of thevirtual machine at the particular point in time. The virtualizedinfrastructure manager 199 may then transfer data associated with thevirtual machine (e.g., an image of the virtual machine or a portion ofthe image of the virtual machine) to the storage appliance. The dataassociated with the virtual machine may include a set of files includinga virtual disk file storing contents of a virtual disk of the virtualmachine at the particular point in time and a virtual machineconfiguration file storing configuration settings for the virtualmachine at the particular point in time. The contents of the virtualdisk file may include the operating system used by the virtual machine,local applications stored on the virtual disk, and user files (e.g.,images and word processing documents). In some cases, the virtualizedinfrastructure manager 199 may transfer a full image of the virtualmachine to the storage appliance 140 or 170 of FIG. 1 or a plurality ofdata blocks corresponding with the full image (e.g., to enable a fullimage-level backup of the virtual machine to be stored on the storageappliance). In other cases, the virtualized infrastructure manager 199may transfer a portion of an image of the virtual machine associatedwith data that has changed since an earlier point in time prior to theparticular point in time or since a last snapshot of the virtual machinewas taken. In one example, the virtualized infrastructure manager 199may transfer only data associated with virtual blocks stored on avirtual disk of the virtual machine that have changed since the lastsnapshot of the virtual machine was taken. In one embodiment, the datamanagement application may specify a first point in time and a secondpoint in time and the virtualized infrastructure manager 199 may outputone or more virtual data blocks associated with the virtual machine thathave been modified between the first point in time and the second pointin time.

In some embodiments, the server 160 may or the hypervisor 186 maycommunicate with a storage appliance, such as storage appliance 140 inFIG. 1 or storage appliance 170 in FIG. 1, using a distributed filesystem protocol such as Network File System (NFS) Version 3, or ServerMessage Block (SMB) protocol. The distributed file system protocol mayallow the server 160 or the hypervisor 186 to access, read, write, ormodify files stored on the storage appliance as if the files werelocally stored on the server. The distributed file system protocol mayallow the server 160 or the hypervisor 186 to mount a directory or aportion of a file system located within the storage appliance.

FIG. 3 depicts one embodiment of storage appliance 170 in FIG. 1, Thestorage appliance may include a plurality of physical machines that maybe grouped together and presented as a single computing system. Eachphysical machine of the plurality of physical machines may comprise anode in a cluster (e.g., a failover cluster). In one example, thestorage appliance may be positioned within a server rack within a datacenter. As depicted, the storage appliance 170 includes hardware-levelcomponents and software-level components. The hardware-level componentsinclude one or more physical machines, such as physical machine 120 andphysical machine 130. The physical machine 120 includes a networkinterface 121, processor 122, memory 123, and disk 124 all incommunication with each other. Processor 122 allows physical machine 120to execute computer readable instructions stored in memory 123 toperform processes described herein. Disk 124 may include a hard diskdrive and/or a solid-state drive. The physical machine 130 includes anetwork interface 131, processor 132, memory 133, and disk 134 all incommunication with each other. Processor 132 allows physical machine 130to execute computer readable instructions stored in memory 133 toperform processes described herein. Disk 134 may include a hard diskdrive and/or a solid-state drive. In some cases, disk 134 may include aflash-based SSD or a hybrid HDD/SSD drive. In one embodiment, thestorage appliance 170 may include a plurality of physical machinesarranged in a cluster (e.g., eight machines in a cluster). Each of theplurality of physical machines may include a plurality of multi-coreCPUs, 108 GB of RAM, a 500 GB SSD, four 4 TB HDDs, and a networkinterface controller.

In some embodiments, the plurality of physical machines may be used toimplement a cluster-based network fileserver. The cluster-based networkfile server may neither require nor use a front-end load balancer. Oneissue with using a front-end load balancer to host the IP address forthe cluster-based network file server and to forward requests to thenodes of the cluster-based network file server is that the front-endload balancer comprises a single point of failure for the cluster-basednetwork file server. In some cases, the file system protocol used by aserver, such as server 160 in FIG. 1, or a hypervisor, such ashypervisor 186 in FIG. 2, to communicate with the storage appliance 170may not provide a failover mechanism (e.g., NFS Version 3). In the casethat no failover mechanism is provided on the client side, thehypervisor may not be able to connect to a new node within a cluster inthe event that the node connected to the hypervisor fails.

In some embodiments, each node in a cluster may be connected to eachother via a network and may be associated with one or more IP addresses(e.g., two different IP addresses may be assigned to each node). In oneexample, each node in the cluster may be assigned a permanent IP addressand a floating IP address and may be accessed using either the permanentIP address or the floating IP address. In this case, a hypervisor, suchas hypervisor 186 in FIG. 2 may be configured with a first floating IPaddress associated with a first node in the cluster. The hypervisor mayconnect to the cluster using the first floating IP address. In oneexample, the hypervisor may communicate with the cluster using the NFSVersion 3 protocol. Each node in the cluster may run a Virtual RouterRedundancy Protocol (VRRP) daemon. A daemon may comprise a backgroundprocess. Each VRRP daemon may include a list of all floating IPaddresses available within the cluster. In the event that the first nodeassociated with the first floating IP address fails, one of the VRRPdaemons may automatically assume or pick up the first floating IPaddress if no other VRRP daemon has already assumed the first floatingIP address. Therefore, if the first node in the cluster fails orotherwise goes down, then one of the remaining VRRP daemons running onthe other nodes in the cluster may assume the first floating IP addressthat is used by hypervisor for communicating with the cluster.

In order to determine which of the other nodes in the cluster willassume the first floating IP address, a VRRP priority may beestablished. In one example, given a number (N) of nodes in a clusterfrom node(0) to node(N-1), for a floating IP address (i), the VRRPpriority of nodeG) may be G-i) modulo N. In another example, given anumber (N) of nodes in a cluster from node(0) to node(N-1), for afloating IP address (i), the VRRP priority of nodeG) may be (i-j) moduloN. In these cases, nodeG) will assume floating IP address (i) only ifits VRRP priority is higher than that of any other node in the clusterthat is alive and announcing itself on the network. Thus, if a nodefails, then there may be a clear priority ordering for determining whichother node in the cluster will take over the failed node's floating IPaddress.

In some cases, a cluster may include a plurality of nodes and each nodeof the plurality of nodes may be assigned a different floating IPaddress. In this case, a first hypervisor may be configured with a firstfloating IP address associated with a first node in the cluster, asecond hypervisor may be configured with a second floating IP addressassociated with a second node in the cluster, and a third hypervisor maybe configured with a third floating IP address associated with a thirdnode in the cluster.

As depicted in FIG, 3, the software-level components of the storageappliance 170 may include data management system 102, a virtualizationinterface 104, a distributed job scheduler 108, a distributed metadatastore 110, a distributed file system 112, and one or more virtualmachine search indexes, such as virtual machine search index 106. In oneembodiment, the software-level components of the storage appliance 170may be run using a dedicated hardware-based appliance. In anotherembodiment, the software-level components of the storage appliance 170may be run from the cloud (e.g., the software-level components may beinstalled on a cloud service provider).

In some cases, the data storage across a plurality of nodes in a cluster(e.g., the data storage available from the one or more physicalmachines) may be aggregated and made available over a single file systemnamespace (e.g., /snapshots/). A directory for each virtual machineprotected using the storage appliance 170 may be created (e.g., thedirectory for Virtual Machine A may be /snapshots/VM_A). Snapshots andother data associated with a virtual machine may reside within thedirectory for the virtual machine. In one example, snapshots of avirtual machine may be stored in subdirectories of the directory (e.g.,a first snapshot of Virtual Machine A may reside in /snapshots/VM_A/s1/and a second snapshot of Virtual Machine A may reside in/snapshots/VM_A/s2/).

The distributed file system 112 may present itself as a single filesystem, in which as new physical machines or nodes are added to thestorage appliance 170, the cluster may automatically discover theadditional nodes and automatically increase the available capacity ofthe file system for storing files and other data. Each file stored inthe distributed file system 112 may be partitioned into one or morechunks or shards. Each of the one or more chunks may be stored withinthe distributed file system 112 as a separate file. The files storedwithin the distributed file system 112 may be replicated or mirroredover a plurality of physical machines, thereby creating a load-balancedand fault tolerant distributed file system. In one example, storageappliance 170 may include ten physical machines arranged as a failovercluster and a first file corresponding with a snapshot of a virtualmachine (e.g., /snapshots/VM_A/s1/s1.full) may be replicated and storedon three of the ten machines.

The distributed metadata store 110 may include a distributed databasemanagement system that provides high availability without a single pointof failure. In one embodiment, the distributed metadata store 110 maycomprise a database, such as a distributed document-oriented database.The distributed metadata store 110 may be used as a distributed keyvalue storage system. In one example, the distributed metadata store 110may comprise a distributed NoSQL key value store database. In somecases, the distributed metadata store 110 may include a partitioned rowstore, in which rows are organized into tables or other collections ofrelated data held within a structured format within the key value storedatabase. A table (or a set of tables) may be used to store metadatainformation associated with one or more files stored within thedistributed file system 112. The metadata information may include thename of a file, a size of the file, file permissions associated with thefile, when the file was last modified, and file mapping informationassociated with an identification of the location of the file storedwithin a cluster of physical machines. In one embodiment, a new filecorresponding with a snapshot of a virtual machine may be stored withinthe distributed file system 112 and metadata associated with the newfile may be stored within the distributed metadata store 110. Thedistributed metadata store 110 may also be used to store a backupschedule for the virtual machine and a list of snapshots for the virtualmachine that are stored using the storage appliance 170,

In some cases, the distributed metadata store 110 may be used to manageone or more versions of a virtual machine. Each version of the virtualmachine may correspond with a full image snapshot of the virtual machinestored within the distributed file system 112 or an incremental snapshotof the virtual machine (e.g., a forward incremental or reverseincremental) stored within the distributed file system 112. In oneembodiment, the one or more versions of the virtual machine maycorrespond with a plurality of files. The plurality of files may includea single full image snapshot of the virtual machine and one or moreincremental aspects derived from the single full image snapshot. Thesingle full image snapshot of the virtual machine may be stored using afirst storage device of a first type (e.g., a HDD) and the one or moreincremental aspects derived from the single full image snapshot may bestored using a second storage device of a second type (e.g., an SSD). Inthis case, only a single full image needs to be stored and each versionof the virtual machine may be generated from the single full image orthe single full image combined with a subset of the one or moreincremental aspects. Furthermore, each version of the virtual machinemay be generated by performing a sequential read from the first storagedevice (e.g., reading a single file from a HDD) to acquire the fullimage and, in parallel, performing one or more reads from the secondstorage device (e.g., performing fast random reads from an SSD) toacquire the one or more incremental aspects.

The distributed job scheduler 108 may be used for scheduling backup jobsthat acquire and store virtual machine snapshots for one or more virtualmachines over time. The distributed job scheduler 108 may follow abackup schedule to backup an entire image of a virtual machine at aparticular point in time or one or more virtual disks associated withthe virtual machine at the particular point in time. In one example, thebackup schedule may specify that the virtual machine be backed up at asnapshot capture frequency, such as every two hours or every 24 hours.Each backup job may be associated with one or more tasks to be performedin a sequence. Each of the one or more tasks associated with a job maybe run on a particular node within a cluster. In some cases, thedistributed job scheduler 108 may schedule a specific job to be run on aparticular node based on data stored on the particular node. Forexample, the distributed job scheduler 108 may schedule a virtualmachine snapshot job to be run on a node in a cluster that is used tostore snapshots of the virtual machine in order to reduce networkcongestion.

The distributed job scheduler 108 may comprise a distributed faulttolerant job scheduler, in which jobs affected by node failures arerecovered and rescheduled to be run on available nodes. In oneembodiment, the distributed job scheduler 108 may be fully decentralizedand implemented without the existence of a master node. The distributedjob scheduler 108 may run job scheduling processes on each node in acluster or on a plurality of nodes in the cluster. In one example, thedistributed job scheduler 108 may run a first set of job schedulingprocesses on a first node in the cluster, a second set of job schedulingprocesses on a second node in the cluster, and a third set of jobscheduling processes on a third node in the cluster. The first set ofjob scheduling processes, the second set of job scheduling processes,and the third set of job scheduling processes may store informationregarding jobs, schedules, and the states of jobs using a metadatastore, such as distributed metadata store 110. In the event that thefirst node running the first set of job scheduling processes fails(e.g., due to a network failure or a physical machine failure), thestates of the jobs managed by the first set of job scheduling processesmay fail to be updated within a threshold period of time (e.g., a jobmay fail to be completed within 30 seconds or within minutes from beingstarted). In response to detecting jobs that have failed to be updatedwithin the threshold period of time, the distributed job scheduler 108may undo and restart the failed jobs on available nodes within thecluster.

The job scheduling processes running on at least a plurality of nodes ina cluster (e.g., on each available node in the cluster) may manage thescheduling and execution of a plurality of jobs. The job schedulingprocesses may include run processes for running jobs, cleanup processesfor cleaning up failed tasks, and rollback processes for rolling-back orundoing any actions or tasks performed by failed jobs. In oneembodiment, the job scheduling processes may detect that a particulartask for a particular job has failed and in response may perform acleanup process to clean up or remove the effects of the particular taskand then perform a rollback process that processes one or more completedtasks for the particular job in reverse order to undo the effects of theone or more completed tasks. Once the particular job with the failedtask has been undone, the job scheduling processes may restart theparticular job on an available node in the cluster.

The distributed job scheduler 108 may manage a job in which a series oftasks associated with the job are to be performed atomically (i.e.,partial execution of the series of tasks is not permitted). If theseries of tasks cannot be completely executed or there is any failurethat occurs to one of the series of tasks during execution (e.g., a harddisk associated with a physical machine fails or a network connection tothe physical machine fails), then the state of a data management systemmay be returned to a state as if none of the series of tasks were everperformed. The series of tasks may correspond with an ordering of tasksfor the series of tasks and the distributed job scheduler 108 may ensurethat each task of the series of tasks is executed based on the orderingof tasks. Tasks that do not have dependencies with each other may beexecuted in parallel.

In some cases, the distributed job scheduler 108 may schedule each taskof a series of tasks to be performed on a specific node in a cluster. Inother cases, the distributed job scheduler 108 may schedule a first taskof the series of tasks to be performed on a first node in a cluster anda second task of the series of tasks to be performed on a second node inthe cluster. In these cases, the first task may have to operate on afirst set of data (e.g., a first file stored in a file system) stored onthe first node and the second task may have to operate on a second setof data (e.g., metadata related to the first file that is stored in adatabase) stored on the second node. In some embodiments, one or moretasks associated with a job may have an affinity to a specific node in acluster.

In one example, if the one or more tasks require access to a databasethat has been replicated on three nodes in a cluster, then the one ormore tasks may be executed on one of the three nodes. In anotherexample, if the one or more tasks require access to multiple chunks ofdata associated with a virtual disk that has been replicated over fournodes in a cluster, then the one or more tasks may be executed on one ofthe four nodes. Thus, the distributed job scheduler 108 may assign oneor more tasks associated with a job to be executed on a particular nodein a cluster based on the location of data required to be accessed bythe one or more tasks.

In one embodiment, the distributed job scheduler 108 may manage a firstjob associated with capturing and storing a snapshot of a virtualmachine periodically (e.g., every 30 minutes). The first job may includeone or more tasks, such as communicating with a virtualizedinfrastructure manager, such as the virtualized infrastructure manager199 in FIG. 2, to create a frozen copy of the virtual machine and totransfer one or more chunks (or one or more files) associated with thefrozen copy to a storage appliance, such as storage appliance 170 inFIG. 1. The one or more tasks may also include generating metadata forthe one or more chunks, storing the metadata using the distributedmetadata store 110, storing the one or more chunks within thedistributed file system 112, and communicating with the virtualizedinfrastructure manager 199 that the frozen copy of the virtual machinemay be unfrozen or released for a frozen state. The metadata for a firstchunk of the one or more chunks may include information specifying aversion of the virtual machine associated with the frozen copy, a timeassociated with the version (e.g., the snapshot of the virtual machinewas taken at 5:30 p.m. on Jun. 29, 2018), and a file path to where thefirst chunk is stored within the distributed file system 92 (e.g., thefirst chunk is located at /snapshotsNM_B/s1/s1.chunk1). The one or moretasks may also include deduplication, compression (e.g., using alossless data compression algorithm such as LZ4 or LZ77), decompression,encryption (e.g., using a symmetric key algorithm such as Triple DES orAES-256), and decryption related tasks.

The virtualization interface 104 may provide an interface forcommunicating with a virtualized infrastructure manager managing avirtualization infrastructure, such as virtualized infrastructuremanager 199 in FIG. 2, and requesting data associated with virtualmachine snapshots from the virtualization infrastructure. Thevirtualization interface 104 may communicate with the virtualizedinfrastructure manager using an API for accessing the virtualizedinfrastructure manager (e.g., to communicate a request for a snapshot ofa virtual machine). In this case, storage appliance 170 may request andreceive data from a virtualized infrastructure without requiring agentsoftware to be installed or running on virtual machines within thevirtualized infrastructure. The virtualization interface 104 may requestdata associated with virtual blocks stored on a virtual disk of thevirtual machine that have changed since a last snapshot of the virtualmachine was taken or since a specified prior point in time. Therefore,in some cases, if a snapshot of a virtual machine is the first snapshottaken of the virtual machine, then a full image of the virtual machinemay be transferred to the storage appliance. However, if the snapshot ofthe virtual machine is not the first snapshot taken of the virtualmachine, then only the data blocks of the virtual machine that havechanged since a prior snapshot was taken may be transferred to thestorage appliance.

The virtual machine search index 106 may include a list of files thathave been stored using a virtual machine and a version history for eachof the files in the list. Each version of a file may be mapped to theearliest point in time snapshot of the virtual machine that includes theversion of the file or to a snapshot of the virtual machine that includethe version of the file (e.g., the latest point in time snapshot of thevirtual machine that includes the version of the file). In one example,the virtual machine search index 106 may be used to identify a versionof the virtual machine that includes a particular version of a file(e.g., a particular version of a database, a spreadsheet, or a wordprocessing document). In some cases, each of the virtual machines thatare backed up or protected using storage appliance 170 may have acorresponding virtual machine search index.

In one embodiment, as each snapshot of a virtual machine is ingestedeach virtual disk associated with the virtual machine is parsed in orderto identify a file system type associated with the virtual disk and toextract metadata (e.g., file system metadata) for each file stored onthe virtual disk. The metadata may include information for locating andretrieving each file from the virtual disk. The metadata may alsoinclude a name of a file, the size of the file, the last time at whichthe file was modified, and a content checksum for the file. Each filethat has been added, deleted, or modified since a previous snapshot wascaptured may be determined using the metadata (e.g., by comparing thetime at which a file was last modified with a time associated with theprevious snapshot). Thus, for every file that has existed within any ofthe snapshots of the virtual machine, a virtual machine search index maybe used to identify when the file was first created (e.g., correspondingwith a first version of the file) and at what times the file wasmodified (e.g., corresponding with subsequent versions of the file).Each version of the file may be mapped to a particular version of thevirtual machine that stores that version of the file.

In some cases, if a virtual machine includes a plurality of virtualdisks, then a virtual machine search index may be generated for eachvirtual disk of the plurality of virtual disks. For example, a firstvirtual machine search index may catalog and map files located on afirst virtual disk of the plurality of virtual disks and a secondvirtual machine search index may catalog and map files located on asecond virtual disk of the plurality of virtual disks. In this case, aglobal file catalog or a global virtual machine search index for thevirtual machine may include the first virtual machine search index andthe second virtual machine search index. A global file catalog may bestored for each virtual machine backed up by a storage appliance withina file system, such as distributed file system 112 in FIG. 3.

The data management system 102 may comprise an application running onthe storage appliance that manages and stores one or more snapshots of avirtual machine. In one example, the data management system 102 maycomprise a highest-level layer in an integrated software stack runningon the storage appliance. The integrated software stack may include thedata management system 102, the virtualization interface 104, thedistributed job scheduler 108, the distributed metadata store 110, andthe distributed file system 112.

In some cases, the integrated software stack may run on other computingdevices, such as a server or computing device 154 in FIG. 1. The datamanagement system 102 may use the virtualization interface 104, thedistributed job scheduler 108, the distributed metadata store 110, andthe distributed file system 112 to manage and store one or moresnapshots of a virtual machine. Each snapshot of the virtual machine maycorrespond with a point in time version of the virtual machine. The datamanagement system 102 may generate and manage a list of versions for thevirtual machine. Each version of the virtual machine may map to orreference one or more chunks and/or one or more files stored within thedistributed file system 112. Combined together, the one or more chunksand/or the one or more files stored within the distributed file system112 may comprise a full image of the version of the virtual machine.

Some examples of the present disclosure identify and capture specificfile system data and auditable events (also termed audit events,herein). Such system data and events may be classified and/or filteredto assist in identifying anomalous activity such as unauthorized useraccess to files in a file system and the infiltration of ransomwaretherein. In this regard, some example system architectures include amini-filter and/or a file object cache. In some examples, these twoelements operate together in a file system, such as a file system 112 ofthe type described further above. Other types of file system arepossible.

One challenge that may present itself in mini-filter development is thatauthentication information, such as a security identified (SID) andremote IP, is only correct at a file creation (CREATE) stage. Morespecifically, if a user tries to read (READ) or modify (e.g. WRITE orCLEANUP) a shared file from a remote machine, he or she will typicallybe required to provide valid credentials. On a Windows™ host, forexample, multiple audit events can occur and be captured includingCREATE, READ, WRITE, and CLEANUP audit events. However, a mini-filtercan only capture a correct user SID and remote IP address in a CREATEevent. Other events merely act as unchecked subsequent system events asauthentication has been established or checked previously.

In some examples, a mini-filter includes or acts as a filter manager. Amini-filter may include a kernel-mode driver that conforms to a legacyfile system filter model and exposes functionality commonly required infile system filter drivers. A mini-filter driver may include a filesystem filter that intercepts requests that are targeted at a filesystem or another file system filter. By intercepting the request beforeit reaches its intended target, the filter driver can extend or replacefunctionality provided by the original target of the request.

In order to record actual user information for a complete event series(e.g. CREATE, READ, WRITE, CLEANUP audit events), some examples maintaina map in a file object cache of {file_object_id->(SID, remote IP)}. Thefile_object_id is a 64-bit unsigned integer that uniquely represents afile object, Although authentication information is only valid orcreated at a CREATE event, file object id remains the same for the restof the other events.

Reference is now made to FIG. 4 which illustrates a state map 400 foruse in file system data and audit event capture. The state map 400 andassociated computer architecture may be included in the data managementsystem 102 or file system 112 described above. As illustrated, in oneexample, a typical user creating or editing a Word™ document (forexample) within the system files or folders may generate many CREATE,WRITE, READ, or CLEANUP audit events, as shown.

Some examples of the present disclosure utilize some or all of theseaudit events to assist in verifying user activity or identifyinganomalous activity such as unauthorized user access to files in a filesystem, for example. Other use cases are possible. At operation 402 auser SID and remote IP address is resolved or established at a CREATEevent 408. At operation 404, the pair {file_object_id->(SID, remote IPaddress)} is stored to a map in a file object cache. At one or moreoperations 406 for other events (such as WRITE 410, READ 412, or CLEANUP414 events), the file_object_id is used as an authorization orverification key and the (user SID, remote IP address) pair is retrievedfrom the map in the file object cache. Additionally, in some examples,at operation 416 at a CLEANUP event, the file_object_id is removed fromthe map since a CLEANUP event typically occurs at the end of a completeevent series and the corresponding file has already been closed by akernel, for example. In some examples, in order to ensure that the fileobject cache remains within a memory size limitation, a timestamp isrecorded indicating when a file object was last used. A backend thread(for example, a daemon) may run periodically and remove{file_object_id->(SID, remote IP address)} entries having a timestampolder than a given threshold.

Some examples of the present disclosure identify and capture otherspecific file system data to assist in identifying anomalous activitysuch as unauthorized user access to files in a file system.

Some embodiments of the present disclosure include methods. Withreference to FIG. 5, an example method 500 by a data management systemmay include, at operation 502, identifying audit events associated withuser file accesses in a monitored computer system, the audit eventsincluding a create event and a subsequent event, the subsequent eventincluding a read, write, or cleanup event; at operation 504, resolving apair value including a user ID and remote IP address at the createevent; at operation 506, associating the pair value with a file objectid for a base file or one or more forward incremental files; atoperation 508, storing the associated file object id and pair value in amap in a file object cache; and, at operation 510, retrieving the fileobject id from the file object cache at the subsequent event.

In some examples, the file object id is used as an authorization orverification key for the subsequent event. In some examples, the one ormore processors is further configured to remove the file object id fromthe map in the file object cache at a cleanup event included in thesubsequent event. In some examples, the cleanup event includes a closingor deletion of a file object associated with the file object id. In someexamples, the one or more processors is further configured to apply atime stamp to the file object. In some examples, the one or moreprocessors is further configured to remove the file object id and pairvalue from the map in the file object cache based on the timestampmeeting or exceeding a threshold value.

With reference to FIG. 6, an example method 600 by a data managementsystem may include, at operation 602, identifying audit eventsassociated with user file accesses in a monitored computer system, theaudit events including a create event and a subsequent event, thesubsequent event including a read, write, or cleanup event; at operation604, resolving a pair value including a user ID and remote IP address atthe create event; at operation 606, associating the pair value with afile object id for the base file or the one or more forward incrementalfiles; and, at operation 608, storing the associated file object id andpair value in a map in a file object cache.

In some examples, the one or more processors is further configured toretrieve the file object id from the file object cache at the subsequentevent. In some examples, the tile object id is used as an authorizationor verification key for the subsequent event. In some examples, the oneor more processors is further configured to remove the file object idfrom the map in the file object cache at a cleanup event included in thesubsequent event. In some examples, the cleanup event includes a closingor deletion of a file object associated with the file object id. In someexamples, the one or more processors is further configured to apply atime stamp to the file object and remove the file object id and pairvalue from the map in the tile object cache based on the timestampmeeting or exceeding a threshold value.

With reference to FIG. 7, an example method 700 by a data managementsystem may include, at operation 702, identifying audit eventsassociated with user file accesses in a monitored computer system, theaudit events including a create event and a subsequent event, thesubsequent event including a read, write, or cleanup event; at operation704, identifying a pair value including a user ID and remote IP addressat the create event; at operation 706, associating the pair value with afile object id for the base file or the one or more forward incrementalfiles; at operation 708, storing the associated file object id and pairvalue in a map in a file object cache in the at least one storagedevice; and, at operation 710, retrieving the file object id from thefile object cache at the subsequent event.

In some examples, the file object id is used as an authorization orverification key for the subsequent event. In some examples, the one ormore processors is further configured to remove the file object id fromthe map in the file object cache at a cleanup event included in thesubsequent event. In some examples, the cleanup event includes a closingor deletion of a file object associated with the file object id. In someexamples, the one or more processors is further configured to apply atime stamp to the file object. In some examples, the one or moreprocessors is further configured to remove the file object id and pairvalue from the map in the file object cache based on the timestampmeeting or exceeding a threshold value.

FIG. 8 is a block diagram illustrating an example of a computer softwarearchitecture for data classification and information security that maybe installed on a machine, according to some example embodiments. FIG. 8is merely a non-limiting example of a software architecture, and it willbe appreciated that many other architectures may be implemented tofacilitate the functionality described herein. The software architecture802 may be executing on hardware such as a machine 900 of FIG. 9 thatincludes, among other things, processors 1110, memory 1130, and I/Ocomponents 1150. A representative hardware layer 804 of FIG. 8 isillustrated and can represent, for example, the machine 1000 of FIG. 10.The representative hardware layer 804 of FIG. 8 comprises one or moreprocessing units 806 having associated executable instructions 808. Theexecutable instructions 808 represent the executable instructions of thesoftware architecture 802, including implementation of the methods,modules, and so forth described herein. The hardware layer 804 alsoincludes memory or storage modules 810, which also have the executableinstructions 808. The hardware layer 804 may also comprise otherhardware 810, which represents any other hardware of the hardware layer804, such as the other hardware illustrated as part of the machine 800.

In the example architecture of FIG. 8, the software architecture 802 maybe conceptualized as a stack of layers, where each layer providesparticular functionality. For example, the software architecture 802 mayinclude layers such as an operating system 814, libraries 816,frameworks/middleware 818, applications 820, and a presentation layer844. Operationally, the applications 820 or other components within thelayers may invoke API calls 824 through the software stack and receive aresponse, returned values, and so forth (illustrated as messages 826) inresponse to the API calls 824. The layers illustrated are representativein nature, and not all software architectures have all layers. Forexample, some mobile or special purpose operating systems may notprovide a frameworks/middleware 818 layer, while others may provide sucha layer. Other software architectures may include additional ordifferent layers.

The operating system 814 may manage hardware resources and providecommon services. The operating system 814 may include, for example, akernel 828, services 830, and drivers 832. The kernel 828 may act as anabstraction layer between the hardware and the other software layers.For example, the kernel 828 may be responsible for memory management,processor management (e.g., scheduling), component management,networking, security settings, and so on. The services 830 may provideother common services for the other software layers. The drivers 832 maybe responsible for controlling or interfacing with the underlyinghardware. For instance, the drivers 832 may include display drivers,camera drivers, Bluetooth® drivers, flash memory drivers, serialcommunication drivers (e.g., Universal Serial Bus (USB) drivers),drivers, audio drivers, power management drivers, and so forth dependingon the hardware configuration.

The libraries 816 may provide a common infrastructure that may beutilized by the applications 820 and/or other components and/or layers.The libraries 816 typically provide functionality that allows othersoftware modules to perform tasks in an easier fashion than byinterfacing directly with the underlying operating system 814functionality (e.g., kernel 828, services 830, or drivers 832). Thelibraries 816 may include system libraries 834 (e.g., C standardlibrary) that may provide functions such as memory allocation functions,string manipulation functions, mathematic functions, and the like. Inaddition, the libraries 816 may include API libraries 836 such as medialibraries (e.g., libraries to support presentation and manipulation ofvarious media formats such as MPEG4, H.264, MP3, AAC, AMR, JPG, PNCC),graphics libraries (e.g., an OpenGL framework that may be used to render2D and 3D graphic content on a display), database libraries (e.g.,SQLite that may provide various relational database functions), weblibraries (e.g., WebKit that may provide web browsing functionality),and the like. The libraries 816 may also include a wide variety of otherlibraries 838 to provide many other APIs to the applications 820 andother software components/modules.

The frameworks 818 (also sometimes referred to as middleware) mayprovide a higher-level common infrastructure that may be utilized byapplications 820 or other software components/modules. For example, theframeworks 818 may provide various graphic user interface (GUI)functions, high-level resource management, high-level location services,and so forth. The frameworks 818 may provide a broad spectrum of otherAPIs that may be utilized by the applications 820 and/or other softwarecomponents/modules, some of which may be specific to a particularoperating system or platform.

The applications 820 include built-in applications 840 and/orthird-party applications 842. Examples of representative built-inapplications 840 may include, but are not limited to, a homeapplication, a contacts application, a browser application, a bookreader application, a location application, a media application, amessaging application, or a game application.

The third-party applications 842 may include any of the built-inapplications 840, as well as a broad assortment of other applications.In a specific example, the third-party applications 842 (e.g., anapplication developed using the Android™ or iOS™ software developmentkit (SDK) by an entity other than the vendor of the particular platform)may be mobile software running on a mobile operating system such asiOS™, Android™, Windows® Phone, or other mobile operating systems. Inthis example, the third-party applications 842 may invoke the API calls824 provided by the mobile operating system such as the operating system814 to facilitate functionality described herein.

The applications 820 may utilize built-in operating system functions(e.g., kernel 828, services 830, or drivers 832), libraries (e.g.,system 834, APIs 836, and other libraries 838), or frameworks/middleware818 to create user interfaces to interact with users of the system.Alternatively, or additionally, in some systems, interactions with auser may occur through a presentation layer, such as the presentationlayer 844. In these systems, the application/module “logic” can beseparated from the aspects of the application/module that interact withthe user.

Some software architectures utilize virtual machines. In the example ofFIG. 8, this is illustrated by a virtual machine 848. A virtual machinecreates a software environment where applications/modules can execute asif they were executing on a hardware machine e.g., the machine 1000 ofFIG. 10, for example). A virtual machine 848 is hosted by a hostoperating system (e.g., operating system 814) and typically, althoughnot always, has a virtual machine monitor 846, which manages theoperation of the virtual machine 848 as well as the interface with thehost operating system (e.g., operating system 814). A softwarearchitecture executes within the virtual machine 848, such as anoperating system 850, libraries 852, frameworks/middleware 854,applications 856, or a presentation layer 858. These layers of softwarearchitecture executing within the virtual machine 848 can be the same ascorresponding layers previously described or may be different.

FIG. 9 is a block diagram 900 illustrating an architecture of software902, which can be installed on any one or more of the devices describedabove. FIG. 9 is merely a non-limiting example of a softwarearchitecture, and it will be appreciated that many other architecturescan be implemented to facilitate the functionality described herein. Invarious embodiments, the software 902 is implemented by hardware such asa machine 1000 of FIG. 10 that includes processors 1110, memory 1130,and I/O components 1150. In this example architecture, the software 902can be conceptualized as a stack of layers where each layer may providea particular functionality. For example, the software 902 includeslayers such as an operating system 904, libraries 906, frameworks 908,and applications 910. Operationally, the applications 910 invokeapplication programming interface (API) calls 912 through the softwarestack and receive messages 914 in response to the API calls 912,consistent with some embodiments.

In various implementations, the operating system 904 manages hardwareresources and provides common services. The operating system 904includes, for example, a kernel 920, services 922, and drivers 924. Thekernel 920 acts as an abstraction layer between the hardware and theother software layers, consistent with some embodiments. For example,the kernel 920 provides memory management, processor management (e.g.,scheduling), component management, networking, and security settings,among other functionality. The services 922 can provide other commonservices for the other software layers. The drivers 924 are responsiblefor controlling or interfacing with the underlying hardware, accordingto some embodiments. For instance, the drivers 924 can include displaydrivers, camera drivers, BLUETOOTH® or BLUETOOTH® Low Energy drivers,flash memory drivers, serial communication drivers (e.g., UniversalSerial Bus (USB) drivers), WI-FI® drivers, audio drivers, powermanagement drivers, and so forth.

In some embodiments, the libraries 906 provide a low-level commoninfrastructure utilized by the applications 910. The libraries 906 caninclude system libraries 930 (e.g., C standard library) that can providefunctions such as memory allocation functions, string manipulationfunctions, mathematic functions, and the like. In addition, thelibraries 906 can include API libraries 932 such as media libraries(e.g., libraries to support presentation and manipulation of variousmedia formats such as Moving Picture Experts Group-4 (MPEG4), AdvancedVideo Coding (H.264 or AVC), Moving Picture Experts Group Layer-3 (MP3),Advanced Audio Coding (AAC), Adaptive Multi-Rate (AMR) audio codec,Joint Photographic Experts Group (JPEG or JPG), or Portable NetworkGraphics (PNG)), graphics libraries (e.g., an OpenGL framework used torender in two dimensions (2D) and three dimensions (3D) in a graphiccontent on a display), database libraries (e.g., SQLite to providevarious relational database functions), web libraries (e.g., WebKit toprovide web browsing functionality), and the like. The libraries 906 canalso include a wide variety of other libraries 934 to provide many otherAPIs to the applications 910.

The frameworks 908 provide a high-level common infrastructure that canbe utilized by the applications 910, according to some embodiments. Forexample, the frameworks 908 provide various graphic user interface (GUI)functions, high-level resource management, high-level location services,and so forth. The frameworks 908 can provide a broad spectrum of otherAPIs that can be utilized by the applications 910, some of which may bespecific to a particular operating system or platform.

In an example embodiment, the applications 910 include a homeapplication 950, a contacts application 952, a browser application 954,a book reader application 956, a location application 958, a mediaapplication 960, a messaging application 962, a game application 964,and a broad assortment of other applications such as a third-partyapplication 966. According to some embodiments, the applications 910 areprograms that execute functions defined in the programs. Variousprogramming languages can be employed to create one or more of theapplications 910, structured in a variety of manners, such asobject-oriented programming languages (e.g., Objective-C, Java, or C++)or procedural programming languages (e.g., C or assembly language). In aspecific example, the third-party application 966 (e.g., an applicationdeveloped using the ANDROID™ or IOS™ software development kit (SDK) byan entity other than the vendor of the particular platform) may bemobile software running on a mobile operating system such as IOS™,ANDROID™, WINDOWS® Phone, or another mobile operating system. In thisexample, the third-party application 966 can invoke the API calls 910provided by the operating system 904 to facilitate functionalitydescribed herein.

FIG. 10 illustrates a diagrammatic representation of a machine 1000 inthe form of a computer system within which a set of instructions may beexecuted for causing the machine to perform any one or more of themethodologies discussed herein, according to an example embodiment.Specifically, FIG. 10 shows a diagrammatic representation of the machine1000 in the example form of a computer system, within which instructions1016 (e.g., software, a program, an application, an applet, an app, orother executable code) for causing the machine 1000 to perform any oneor more of the methodologies discussed herein may be executed.Additionally, or alternatively, the instructions 1016 may implement theoperations of the methods shown in FIGS. 5-7, or as elsewhere describedherein.

The instructions 1016 transform the general, non-programmed machine 1000into a particular machine 1000 programmed to carry out the described andillustrated functions in the manner described. In alternativeembodiments, the machine 1000 operates as a standalone device or may becoupled (e.g., networked) to other machines. In a networked deployment,the machine 1000 may operate in the capacity of a server machine or aclient machine in a server-client network environment, or as a peermachine in a peer-to-peer (or distributed) network environment. Themachine 1000 may comprise, but not be limited to, a server computer, aclient computer, a personal computer (PC), a tablet computer, a laptopcomputer, a netbook, a set-top box (STB), a PDA, an entertainment mediasystem, a cellular telephone, a smart phone, a mobile device, a wearabledevice (e.g., a smart watch), a smart home device (e.g., a smartappliance), other smart devices, a web appliance, a network router, anetwork switch, a network bridge, or any machine capable of executingthe instructions 1016, sequentially or otherwise, that specify actionsto be taken by the machine 1000. Further, while only a single machine1000 is illustrated, the term “machine” shall also be taken to include acollection of machines 1000 that individually or jointly execute theinstructions 1016 to perform any one or more of the methodologiesdiscussed herein.

The machine 1000 may include processors 1010, memory 1030, and I/Ocomponents 1050, which may be configured to communicate with each othersuch as via a bus 1002. In an example embodiment, the processors 1010(e.g., a Central Processing Unit (CPU), a Reduced Instruction SetComputing (RISC) processor, a Complex instruction Set Computing (CISC)processor, a Graphics Processing Unit (GPU), a Digital Signal Processor(DSP), an ASIC, a Radio-Frequency Integrated Circuit (RFIC), anotherprocessor, or any suitable combination thereof) may include, forexample, a processor 1012 and a processor 1014 that may execute theinstructions 1016. The term “processor” is intended to includemulti-core processors that may comprise two or more independentprocessors (sometimes referred to as “cores”) that may executeinstructions contemporaneously. Although FIG. 10 shows multipleprocessors 1010, the machine 1000 may include a single processor with asingle core, a single processor with multiple cores (e.g., a multi-coreprocessor), multiple processors with a single core, multiple processorswith multiples cores, or any combination thereof.

The memory 1030 may include a main memory 1032, a static memory 1034,and a storage unit 1036, each accessible to the processors 1010 such asvia the bus 1002. The main memory 1030, the static memory 1034, andstorage unit 1036 store the instructions 1016 embodying any one or moreof the methodologies or functions described herein. The instructions1016 may also reside, completely or partially, within the main memory1032, within the static memory 1034, within the storage unit 1036,within at least one of the processors 1010 (e.g., within the processor'scache memory), or any suitable combination thereof, during executionthereof by the machine 1000.

The I/O components 1050 may include a wide variety of components toreceive input, provide output, produce output, transmit information,exchange information, capture measurements, and so on. The specific I/Ocomponents 1050 that are included in a particular machine will depend onthe type of machine. For example, portable machines such as mobilephones will likely include a touch input device or other such inputmechanisms, while a headless server machine will likely not include sucha touch input device. It will be appreciated that the I/O components1050 may include many other components that are not shown in FIG. 10.The I/O components 1050 are grouped according to functionality merelyfor simplifying the following discussion and the grouping is in no waylimiting. In various example embodiments, the I/O components 1050 mayinclude output components 1052 and input components 1054. The outputcomponents 1052 may include visual components (e.g., a display such as aplasma display panel (PDP), a light emitting diode (LED) display, aliquid crystal display (LCD), a projector, or a cathode ray tube (CRT)),acoustic components (e.g., speakers), haptic components (e.g., avibratory motor, resistance mechanisms), other signal generators, and soforth. The input components 1054 may include alphanumeric inputcomponents (e.g., a keyboard, a touch screen configured to receivealphanumeric input, a photo-optical keyboard, or other alphanumericinput components), point-based input components (e.g., a mouse, atouchpad, a trackball, a joystick, a motion sensor, or another pointinginstrument), tactile input components (e.g., a physical button, a touchscreen that provides location and/or force of touches or touch gestures,or other tactile input components), audio input components (e.g., amicrophone), and the like.

In further example embodiments, the I/O components 1050 may includebiometric components 1056, motion components 1058, environmentalcomponents 1060, or position components 1062, among a wide array ofother components. For example, the biometric components 1056 may includecomponents to detect expressions (e.g., hand expressions, facialexpressions, vocal expressions, body gestures, or eye tracking), measurebiosignals (e.g., blood pressure, heart rate, body temperature,perspiration, or brain waves), identify a person (e.g., voiceidentification, retinal identification, facial identification,fingerprint identification, or electroencephalogram-basedidentification), and the like. The motion components 1058 may includeacceleration sensor components (e.g., accelerometer), gravitation sensorcomponents, rotation sensor components (e.g., gyroscope), and so forth.The environmental components 1060 may include, for example, illuminationsensor components (e.g., photometer), temperature sensor components(e.g., one or more thermometers that detect ambient temperature),humidity sensor components, pressure sensor components (e.g.,barometer), acoustic sensor components (e.g., one or more microphonesthat detect background noise), proximity sensor components (e.g.,infrared sensors that detect nearby objects), gas sensors (e.g., gasdetection sensors to detection concentrations of hazardous gases forsafety or to measure pollutants in the atmosphere), or other componentsthat may provide indications, measurements, or signals corresponding toa surrounding physical environment. The position components 1062 mayinclude location sensor components (e.g., a GPS receiver component),altitude sensor components (e.g., altimeters or barometers that detectair pressure from which altitude may be derived), orientation sensorcomponents (e.g., magnetometers), and the like.

Communication may be implemented using a wide variety of technologies.The I/O components 1050 may include communication components 1064operable to couple the machine 1000 to a network 1080 or devices 1070via a coupling 1082 and a coupling 1072, respectively. For example, thecommunication components 1064 may include a network interface componentor another suitable device to interface with the network 1080. Infurther examples, the communication components 1064 may include wiredcommunication components, wireless communication components, cellularcommunication components, Near Field Communication (NFC) components,Bluetooth® components (e.g., Bluetooth® Low Energy), Wi-Fi® components,and other communication components to provide communication via othermodalities. The devices 1070 may be another machine or any of a widevariety of peripheral devices (e.g., a peripheral device coupled via aUSB).

Moreover, the communication components 1064 may detect identifiers orinclude components operable to detect identifiers. For example, thecommunication components 1064 may include Radio Frequency Identification(RFID) tag reader components, NFC smart tag detection components,optical reader components (e.g., an optical sensor to detectone-dimensional bar codes such as Universal Product Code (UPC) bar code,multi-dimensional bar codes such as Quick Response (QR) code, Azteccode, Data Matrix, Dataglyph, MaxiCode, PDF417, Ultra Code, UCC RSS-2Dbar code, and other optical codes), or acoustic detection components(e.g., microphones to identify tagged audio signals). In addition, avariety of information may be derived via the communication components1064, such as location via Internet Protocol (IP) geolocation, locationvia Wi-Fi® signal triangulation, location via detecting an NFC beaconsignal that may indicate a particular location, and so forth.

The various memories (i.e., 1030, 1032, 1034, and/or memory of theprocessor(s) 1010) and/or storage unit 1036 may store one or more setsof instructions and data structures (e.g., software) embodying orutilized by any one or more of the methodologies or functions describedherein. These instructions (e.g., the instructions 1016), when executedby processor(s) 1010, cause various operations to implement thedisclosed embodiments.

As used herein, the terms “machine-storage medium,” “device-storagemedium,” “computer-storage medium” mean the same thing and may be usedinterchangeably in this disclosure. The terms refer to a single ormultiple storage devices and/or media (e.g., a centralized ordistributed database, and/or associated caches and servers) that storeexecutable instructions and/or data. The terms shall accordingly betaken to include, but not be limited to, solid-state memories, andoptical and magnetic media, including memory internal or external toprocessors. Specific examples of machine-storage media, computer-storagemedia and/or device-storage media include non-volatile memory, includingby way of example semiconductor memory devices, e.g., erasableprogrammable read-only memory (EPROM), electrically erasableprogrammable read-only memory (EEPROM), FPGA, and flash memory devices;magnetic disks such as internal hard disks and removable disks;magneto-optical disks; and CD-ROM and DVD-ROM disks. The terms“machine-storage media,” “computer-storage media,” and “device-storagemedia” specifically exclude carrier waves, modulated data signals, andother such media, at least some of which are covered under the term“signal medium” discussed below.

In various example embodiments, one or more portions of the network 1080may be an ad hoc network, an intranet, an extranet, a VPN, a LAN, aWLAN, a WAN, a WWAN, a MAN, the Internet, a portion of the Internet, aportion of the PSTN, a plain old telephone service (POTS) network, acellular telephone network, a wireless network, a Wi-Fi® network,another type of network, or a combination of two or more such networks.For example, the network 1080 or a portion of the network 1080 mayinclude a wireless or cellular network, and the coupling 1082 may be aCode Division Multiple Access (CDMA) connection, a Global System forMobile communications (GSM) connection, or another type of cellular orwireless coupling. In this example, the coupling 1082 may implement anyof a variety of types of data transfer technology, such as SingleCarrier Radio Transmission Technology (1xRTT), Evolution-Data Optimized(EVDO) technology, General Packet Radio Service (CPRS) technology,Enhanced Data rates for GSM Evolution (EDGE) technology, thirdGeneration Partnership Project (3GPP) including 3G, fourth generationwireless (4G) networks, Universal Mobile Telecommunications System(UNITS), High Speed Packet Access (HSPA), Worldwide Interoperability forMicrowave Access (WiMAX), Long Term Evolution (LTE) standard, othersdefined by various standard-setting organizations, other long rangeprotocols, or other data transfer technology.

The instructions 1016 may be transmitted or received over the network1080 using a transmission medium via a network interface device (e.g., anetwork interface component included in the communication components1064) and utilizing any one of a number of well-known transfer protocols(e.g., hypertext transfer protocol (HTTP)). Similarly, the instructions1016 may he transmitted or received using a transmission medium via thecoupling 1072 (e.g., a peer-to-peer coupling) to the devices 1070. Theterms “transmission medium” and “signal medium” mean the same thing andmay be used interchangeably in this disclosure. The terms “transmissionmedium” and “signal medium” shall be taken to include any intangiblemedium that is capable of storing, encoding, or carrying theinstructions 1016 for execution by the machine 1000, and includesdigital or analog communications signals or other intangible media tofacilitate communication of such software. Hence, the terms“transmission medium” and “signal medium” shall be taken to include anyform of modulated data signal, carrier wave, and so forth. The term“modulated data signal” means a signal that has one or more of itscharacteristics set or changed in such a matter as to encode informationin the signal.

The terms “machine-readable medium,” “computer-readable medium” and“device-readable medium” mean the same thing and may be usedinterchangeably in this disclosure. The terms are defined to includeboth machine-storage media and transmission media. Thus, the termsinclude both storage devices/media and carrier waves/modulated datasignals.

Although an embodiment has been described with reference to specificexample embodiments, it will be evident that various modifications andchanges may be made to these embodiments without departing from thebroader spirit and scope of the invention. Accordingly, thespecification and drawings are to be regarded in an illustrative ratherthan a restrictive sense. The accompanying drawings that form a parthereof, show by way of illustration, and not of limitation, specificembodiments in which the subject matter may he practiced. Theembodiments illustrated are described in sufficient detail to enablethose skilled in the art to practice the teachings disclosed herein.Other embodiments may be utilized and derived therefrom, such thatstructural and logical substitutions and changes may be made withoutdeparting from the scope of this disclosure. This Detailed Description,therefore, is not to be taken in a limiting sense, and the scope ofvarious embodiments is defined only by the appended claims, along withthe full range of equivalents to which such claims are entitled.

Such embodiments of the inventive subject matter may be referred toherein, individually and/or collectively, by the term “invention” merelyfor convenience and without intending to voluntarily limit the scope ofthis application to any single invention or inventive concept if morethan one is in fact disclosed. Thus, although specific embodiments havebeen illustrated and described herein, it should be appreciated that anyarrangement calculated to achieve the same purpose may be substitutedfor the specific embodiments shown. This disclosure is intended to coverany and all adaptations or variations of various embodiments.Combinations of the above embodiments, and other embodiments notspecifically described herein, will be apparent to those of skill in theart upon reviewing the above description.

1. A data management system, comprising: a first storage deviceconfigured to store a base file associated with a first version of avirtual machine; a second storage device configured to store one or moreforward incremental files associated with one or more versions of thevirtual machine; and a mini-filter including one or more processors incommunication with the first storage device and the second storagedevice, the one or more processors of the mini-filter configured toperform operations including: identifying audit events associated withuser file accesses in a monitored computer system, the audit eventsincluding a create event and a subsequent event, the subsequent eventincluding a read, write, or cleanup event; resolving a pair valueincluding a user ID and remote IP address at the create event;associating the pair value with a file object id for the base file orthe one or more forward incremental files; and storing the associatedfile object id and pair value in a map in a file object cache.
 2. Thedata management system of claim 1, wherein the one or more processors isfurther configured to: retrieve the file object id from the file objectcache at e subsequent event.
 3. The data management system of claim 1,wherein the file object id is used as an authorization or verificationkey for the subsequent event.
 4. The data management system of claim 1,wherein the one or more processors is further configured to remove thefile object id from the map in the file object cache at a cleanup eventincluded in the subsequent event.
 5. The data management system of claim4, wherein the cleanup event includes a closing or deletion of a fileobject associated with the file object id.
 6. The data management systemof claim 5, wherein the one or more processors is further configured toapply a time stamp to the file object and remove the file object id andpair value from the map in the file object cache based on the timestampmeeting or exceeding a threshold value.
 7. A computer-implemented methodat a data management system, the method comprising: identifying auditevents associated with user file accesses in a monitored computersystem, the audit events including a create event and a subsequentevent, the subsequent event including a read, write, or cleanup event;resolving a pair value including a user ID and remote IP address at thecreate event; associating the pair value with a file object id for thebase file or the one or more forward incremental files; and storing theassociated file object id and pair value in a map in a file objectcache.
 8. The method of claim 7, wherein the one or more processors isfurther configured to: retrieve the file object id from the file objectcache at the subsequent event
 9. The method of claim 7, wherein the fileobject id is used as an authorization or verification key for thesubsequent event.
 10. The method of claim 7, wherein the one or moreprocessors is further configured to remove the file object id from themap in the file object cache at a cleanup event included in thesubsequent event.
 11. The method of claim 10, wherein the cleanup eventincludes a closing or deletion of a file object associated with the fileobject id.
 12. The method of claim 11, wherein the one or moreprocessors is further configured to apply a time stamp to the fileobject and remove the file object id and pair value from the map in thefile object cache based on the timestamp meeting or exceeding athreshold value.
 13. A non-transitory, machine-readable medium storinginstructions which, when read by a machine, cause the machine to performoperations comprising, at least: identifying audit events associatedwith user file accesses in a monitored computer system, the audit eventsincluding a create event and a subsequent event, the subsequent eventincluding a read, write, or cleanup event; resolving a pair valueincluding a user ID and remote IP address at the create event;associating the pair value with a file object id for the base file orthe one or more forward incremental files; and storing the associatedfile object id and pair value in a map in a file object cache.
 14. Themedium of claim 13, wherein the one or more processors is furtherconfigured to: retrieve the file object id from the file object cache ate subsequent event.
 15. The medium of claim 13, wherein the file objectid is used as an authorization or verification key for the subsequentevent.
 16. The medium of claim 13, wherein the one or more processors isfurther configured to remove the file object id from the map in the fileobject cache at a cleanup event included in the subsequent event. 17.The medium of claim 16, wherein the cleanup event includes a closing ordeletion of a file object associated with the file object id.
 18. Themedium of claim 17, wherein the one or more processors is furtherconfigured to apply a time stamp to the file object and remove the fileobject id and pair value from the map in the file object cache based onthe timestamp meeting or exceeding a threshold value.